asyncrat | 8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Window Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Window Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Window Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Window Security.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023559-50.dat	family_quasar
behavioral1/memory/644-77-0x0000000000B50000-0x0000000000BDC000-memory.dmp	family_quasar

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023557-27.dat	family_stormkitty
behavioral1/files/0x0009000000023558-34.dat	family_stormkitty
behavioral1/memory/2364-74-0x0000000000110000-0x0000000000140000-memory.dmp	family_stormkitty
behavioral1/memory/4752-75-0x0000000000EB0000-0x0000000000EEE000-memory.dmp	family_stormkitty

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000023556-16.dat	family_asyncrat
behavioral1/files/0x0008000000023557-27.dat	family_asyncrat
behavioral1/files/0x0009000000023558-34.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Windows Defender Service Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Window Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Window Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Window Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	BTC.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk	Windows Defender Service Host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk	Windows Defender Service Host.exe

Executes dropped EXE 16 IoCs

pid	Process
4256	crack.exe
3604	Cracked.exe
2364	svchost.exe
4752	update.exe
644	Window Security.exe
3696	Windows Defender Service Host.exe
2220	Windows Security.exe
1712	Windows Security Health Service.exe
5864	Window Security.exe
5316	Windows Defender Service Host.exe
1500	Windows Defender Service Host.exe
2172	procexp.exe
6016	procexp.exe
1956	Windows Defender Service Host.exe
5992	procexp64.exe
3376	Window Security.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Window Security.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Window Security.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Service Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Service Host.exe"	Windows Defender Service Host.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	update.exe
File created	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	update.exe
File opened for modification	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	update.exe
File created	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	update.exe
File created	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	update.exe
File created	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	update.exe
File created	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\e0e214b4d2b81ec03aca51fd1994fc50\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	update.exe
File created	C:\Users\Admin\AppData\Local\bc12c5b12918061caa4a8f7825168fa6\Admin@SYMRKCCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
140	yandex.com
141	yandex.com
138	yandex.com
139	yandex.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
35	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Window Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Window Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Window Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	procexp.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5372	PING.EXE
1104	PING.EXE
5220	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3876	cmd.exe
3496	netsh.exe
3340	cmd.exe
3772	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4824	timeout.exe
2228	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698629855709348"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5372	PING.EXE
1104	PING.EXE
5220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4828	schtasks.exe
5012	schtasks.exe
3724	schtasks.exe
4088	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3696	Windows Defender Service Host.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	taskmgr.exe
4560	taskmgr.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3604	Cracked.exe
3696	Windows Defender Service Host.exe
3696	Windows Defender Service Host.exe
3604	Cracked.exe
3604	Cracked.exe
2324	powershell.exe
2324	powershell.exe
4052	taskmgr.exe
4052	taskmgr.exe
2324	powershell.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4752	update.exe
4752	update.exe
4752	update.exe
4752	update.exe
4752	update.exe
2364	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3696	Windows Defender Service Host.exe
1712	Windows Security Health Service.exe
2220	Windows Security.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5992	procexp64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	Cracked.exe
Token: SeDebugPrivilege	3696	Windows Defender Service Host.exe
Token: SeDebugPrivilege	4752	update.exe
Token: SeDebugPrivilege	2364	svchost.exe
Token: SeDebugPrivilege	4560	taskmgr.exe
Token: SeSystemProfilePrivilege	4560	taskmgr.exe
Token: SeCreateGlobalPrivilege	4560	taskmgr.exe
Token: SeDebugPrivilege	4256	crack.exe
Token: SeDebugPrivilege	3604	Cracked.exe
Token: SeDebugPrivilege	644	Window Security.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4052	taskmgr.exe
Token: SeSystemProfilePrivilege	4052	taskmgr.exe
Token: SeCreateGlobalPrivilege	4052	taskmgr.exe
Token: SeDebugPrivilege	2220	Windows Security.exe
Token: SeDebugPrivilege	2220	Windows Security.exe
Token: SeDebugPrivilege	1712	Windows Security Health Service.exe
Token: SeDebugPrivilege	1712	Windows Security Health Service.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeDebugPrivilege	5864	Window Security.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeDebugPrivilege	5316	Windows Defender Service Host.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe
Token: SeShutdownPrivilege	5396	chrome.exe
Token: SeCreatePagefilePrivilege	5396	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4560	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
4052	taskmgr.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5396	chrome.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe
5992	procexp64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3696	Windows Defender Service Host.exe
2220	Windows Security.exe
1712	Windows Security Health Service.exe
5992	procexp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4256	2636	BTC.exe	90
PID 2636 wrote to memory of 4256	2636	BTC.exe	90
PID 2636 wrote to memory of 4256	2636	BTC.exe	90
PID 2636 wrote to memory of 3604	2636	BTC.exe	91
PID 2636 wrote to memory of 3604	2636	BTC.exe	91
PID 2636 wrote to memory of 2364	2636	BTC.exe	92
PID 2636 wrote to memory of 2364	2636	BTC.exe	92
PID 2636 wrote to memory of 2364	2636	BTC.exe	92
PID 2636 wrote to memory of 4752	2636	BTC.exe	93
PID 2636 wrote to memory of 4752	2636	BTC.exe	93
PID 2636 wrote to memory of 4752	2636	BTC.exe	93
PID 2636 wrote to memory of 644	2636	BTC.exe	94
PID 2636 wrote to memory of 644	2636	BTC.exe	94
PID 2636 wrote to memory of 644	2636	BTC.exe	94
PID 2636 wrote to memory of 3696	2636	BTC.exe	95
PID 2636 wrote to memory of 3696	2636	BTC.exe	95
PID 3696 wrote to memory of 4088	3696	Windows Defender Service Host.exe	100
PID 3696 wrote to memory of 4088	3696	Windows Defender Service Host.exe	100
PID 3604 wrote to memory of 1400	3604	Cracked.exe	102
PID 3604 wrote to memory of 1400	3604	Cracked.exe	102
PID 3604 wrote to memory of 2460	3604	Cracked.exe	103
PID 3604 wrote to memory of 2460	3604	Cracked.exe	103
PID 644 wrote to memory of 4828	644	Window Security.exe	106
PID 644 wrote to memory of 4828	644	Window Security.exe	106
PID 644 wrote to memory of 4828	644	Window Security.exe	106
PID 4256 wrote to memory of 4376	4256	crack.exe	108
PID 4256 wrote to memory of 4376	4256	crack.exe	108
PID 4256 wrote to memory of 4376	4256	crack.exe	108
PID 644 wrote to memory of 2220	644	Window Security.exe	110
PID 644 wrote to memory of 2220	644	Window Security.exe	110
PID 644 wrote to memory of 2220	644	Window Security.exe	110
PID 644 wrote to memory of 2324	644	Window Security.exe	111
PID 644 wrote to memory of 2324	644	Window Security.exe	111
PID 644 wrote to memory of 2324	644	Window Security.exe	111
PID 1400 wrote to memory of 5012	1400	cmd.exe	113
PID 1400 wrote to memory of 5012	1400	cmd.exe	113
PID 2460 wrote to memory of 4824	2460	cmd.exe	115
PID 2460 wrote to memory of 4824	2460	cmd.exe	115
PID 4376 wrote to memory of 2228	4376	cmd.exe	116
PID 4376 wrote to memory of 2228	4376	cmd.exe	116
PID 4376 wrote to memory of 2228	4376	cmd.exe	116
PID 2220 wrote to memory of 3724	2220	Windows Security.exe	117
PID 2220 wrote to memory of 3724	2220	Windows Security.exe	117
PID 2220 wrote to memory of 3724	2220	Windows Security.exe	117
PID 2460 wrote to memory of 1712	2460	cmd.exe	119
PID 2460 wrote to memory of 1712	2460	cmd.exe	119
PID 644 wrote to memory of 4228	644	Window Security.exe	121
PID 644 wrote to memory of 4228	644	Window Security.exe	121
PID 644 wrote to memory of 4228	644	Window Security.exe	121
PID 4228 wrote to memory of 1516	4228	cmd.exe	123
PID 4228 wrote to memory of 1516	4228	cmd.exe	123
PID 4228 wrote to memory of 1516	4228	cmd.exe	123
PID 4752 wrote to memory of 3876	4752	update.exe	149
PID 4752 wrote to memory of 3876	4752	update.exe	149
PID 4752 wrote to memory of 3876	4752	update.exe	149
PID 3876 wrote to memory of 3968	3876	cmd.exe	131
PID 3876 wrote to memory of 3968	3876	cmd.exe	131
PID 3876 wrote to memory of 3968	3876	cmd.exe	131
PID 3876 wrote to memory of 3496	3876	cmd.exe	132
PID 3876 wrote to memory of 3496	3876	cmd.exe	132
PID 3876 wrote to memory of 3496	3876	cmd.exe	132
PID 3876 wrote to memory of 2992	3876	cmd.exe	133
PID 3876 wrote to memory of 2992	3876	cmd.exe	133
PID 3876 wrote to memory of 2992	3876	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BTC.exe
"C:\Users\Admin\AppData\Local\Temp\BTC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Roaming\crack.exe
  "C:\Users\Admin\AppData\Roaming\crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A4E.tmp.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2228
- C:\Users\Admin\AppData\Roaming\Cracked.exe
  "C:\Users\Admin\AppData\Roaming\Cracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp680C.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4824
  - - C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1712
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3340
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1384
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3772
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4408
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:4816
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3576
- C:\Users\Admin\AppData\Roaming\update.exe
  "C:\Users\Admin\AppData\Roaming\update.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3968
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3148
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3360
- C:\Users\Admin\AppData\Roaming\Window Security.exe
  "C:\Users\Admin\AppData\Roaming\Window Security.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Window Security.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4828
- - C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      System Location Discovery: System Language Discovery
      PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eG7JO7HrQuUg.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5300
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:5356
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5372
  - - C:\Users\Admin\AppData\Roaming\Window Security.exe
      "C:\Users\Admin\AppData\Roaming\Window Security.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1S0tEizOmqEh.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1104
      - C:\Users\Admin\AppData\Roaming\Window Security.exe
        
        "C:\Users\Admin\AppData\Roaming\Window Security.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eNxlD1sQeQqP.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5220
- C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe
  "C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4088

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
1⤵
PID:3192

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd3266cc40,0x7ffd3266cc4c,0x7ffd3266cc58
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2132,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1832,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1860,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4404,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4040,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3380,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3332,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3284,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5380,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4388,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3392,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3276,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5128,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3376,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:8
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5140,i,5684912261190594393,11210470258745332012,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:4064

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2080

C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1088

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ProcessExplorer\" -spe -an -ai#7zMap1001:92:7zEvent2036
1⤵
PID:400

C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172

C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"
1⤵
- Executes dropped EXE
PID:6016

C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Service Host.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery